3min. read

Cybercrime: The Underground Economy

The success of any industry is reliant on its economics. Cybercrime is no different, maintaining its own economy of commoditized products and services

The success of an industry is reliant on its economics – the ­production, allocation and use of its goods and services. Cybercrime, like any ­other industry­ or business, maintains its own economy of commoditized ­products and services.


The products of the cybercrime economy, similar to any other product in any other industry,­ benefit both the seller and the buyers. The sellers benefit from quick and discrete­ payout and the buyers benefit from “out of the box” malicious operations that can be implemented immediately. These products can be broken down into two main categories: information and resources.

Information includes commodities such as:

  • Stolen personally identifiable information (PII): This includes everything from mass email lists used by spammers to full identity theft packages to commit financial fraud.
  • Exfiltrated organizational information: This includes intellectual capital/property, nonpublic internal data and internal operational details.
  • Harvested authentication credentials: Stolen username and password combinations­ continue to present a significant risk these days, especially when the same credentials are re-used across multiple sites.
  • Pilfered financial data: Unauthorized withdrawals from accounts or charges against credit lines continue to plague account holders. 

Resources include such element as:

  • Access to feature-rich malware: Malware across varying capabilities (e.g., ­information stealers, remote administration tools – RATs, ransomware, ­purpose-built utilities) that demonstrate consistent results and avoid source code leakage can generate significant revenue for associated authors and distributors. 
  • Purchase of system or software exploits: While many white hats elect to support bug bounty initiatives by vendors, there remains a lucrative underground market for reliable, unpatched exploits.
  • Transfer of control for previously compromised machines: This usually applies to always-on servers that can then be used as attack platforms or sold for the information­ they store.
  • Malicious actor training: Training is offered through guidebooks or tutorials on effective tool usage and specific tactics, techniques and procedures (TTPs).


The services offered within the cybercrime economy utilizes a leasing structure, in which access to a product is promised at a set rate for a fixed period of time. The sellers benefit from a guaranteed source of recurrent revenue throughout an extended period of time, and buyers benefit from the continued availability and performance of malicious tools. 

These services include offerings such as:

  • Distributed denial of service (DDoS): These are botnet powered attacks that affect the availability of targeted servers and capabilities.
  • Exploit kits (EKs): As part of the service offering, exploit kits are typically leased with a monthly rate for access to the exploit toolkit, allowing for customized end payloads.
  • Infrastructure rental: These include hosting services for attack platforms, malware updates, configuration, command and control (C2), and other attack lifecycle functions.
  • Money laundering: This is known as the transfer (“money muling”) of illegally obtained funds through accounts and mechanisms in money haven countries remains a key service.

Read our blog series Exploring the Cybercrime Underground to learn more.